Queensland has passed the Information Privacy and Other Legislation Amendment Bill 2023, marking a significant step towards a mandatory data breach notification scheme for public sector entities. This legislation, approved in less than two months, mandates that state and local government bodies notify both affected individuals and the state’s privacy watchdog of significant data breaches likely to cause serious harm.
Similar to the existing Commonwealth Notifiable Data Breaches Scheme, the Queensland scheme expands coverage to state agencies, state-owned corporations, and local councils, bridging a crucial gap in data breach protocols. While the state-level scheme comes into force in stages—beginning July 2025 for state government entities and by July 2026 for local governments—it reflects a proactive approach in aligning with national privacy principles.
The Office of the Information Commissioner Queensland had long advocated for such a scheme, emphasizing the necessity of promptly addressing corruption risks associated with sensitive information. The initiative gained momentum following a critical review of the state’s public sector and subsequent endorsements from various authorities.
Notably, the revised bill emphasizes a 30-day timeframe for agencies to assess the need for notification post-breach, with provisions for reasonable extensions. Amendments to the bill aimed to curtail agencies’ unilateral extension of the notification period indefinitely, ensuring a more structured approach to addressing breaches.
The legislation also aims to harmonize state privacy laws with national standards, streamline Right to Information frameworks, and elevate penalties for the misuse of restricted computers. Attorney-General Yvette D’Ath hailed this development as a crucial step towards bolstering public confidence in Queensland’s privacy laws, enhancing transparency, and empowering affected individuals to mitigate adverse impacts from breaches.
Moreover, Ms. D’Ath hinted at further reforms in line with the ongoing review of the Commonwealth Privacy Act, suggesting that Queensland’s proactive measures will augment privacy protections for its citizens even before potential changes at the federal level.
